15th annual report 2007/2008

Below, you can find a selection of articles taken from the FDIPC's 15th annual report. If you are interested in the complete version of the reports, please refer to the corresponding pages in German or French.

In the last report on activities, I compared the role of the Data Protection Commissioner with Sisyphus, the tragic figure from Greek mythology condemned for all eternity to roll the same huge rock up a mountain. No sooner has one data protection problem been solved, a new one crops up. But in spite of the fact that the overall picture may hardly change from one year to the next, the annual report nevertheless provides an opportunity of looking back over the past and celebrating the successes that have been achieved. To put it in a nutshell: a pragmatic approach to data protection carries with it the seeds of success.

The circumscribed and regulated use of biometric data to facilitate authentication during ID checks and for greater security in identity documents does not run counter to data protection principles. By contrast, the use of such data for identification purposes is more problematic and raises a number of concerns.

The implementation of the Schengen Association Agreement was evaluated by the EU before the entry into force of the Schengen Information System (SIS) in Switzerland. During the evaluation visit to the Swiss data protection authorities, the competence of the FDPIC as well as that of several cantonal authorities was examined.

The introduction of DNA tests for family reunification purposes in the French Immigration Act sparked heated debate. In Switzerland, the practice already exists: in exceptional cases, the granting of an authorisation may be subject to a DNA analysis provided that the person concerned agrees to this in writing. In our view, such a practice should only be applied in a very restrictive manner.

Biological samples may be exported to the USA provided that the data subject has given his or her prior consent. Without such consent, the data may only be disclosed if there are sufficient guarantees that the recipient country has an adequate level of data protection.

The mission of the World Anti-Doping Agency (WADA) is to coordinate and support all measures aimed at combating doping. As WADA also collects data for this purpose in Switzerland, we have analysed the activities carried out by WADA which fall within the scope of the Swiss Data Protection Act. We have come to the conclusion that in certain areas WADA cannot be excluded from the application of the FADP. As a result, we have suggested that during the revision of the Sports Promotion Act, a legal basis be established in order to simplify international cooperation in the fight against doping.

A report published in the New York Times on 23 June 2006 revealed that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) had provided the USA with limited access to data held at its US Operation Centre within the context of the fight against terrorism. The data protection issues this raised were discussed with the Federal Council and the Swiss banks. As part of the political solution negotiated with the USA, security guarantees were agreed and Swiss bank customers were informed proactively that their data might be passed on to the US authorities. Furthermore, SWIFT announced that in future it would only process transaction data in the USA that concerned the transatlantic transfer of funds. In order to be able to implement this solution technically, SWIFT decided to establish a third Operations Centre in Switzerland.

Within the context of their international business activities, Swiss financial institutions may find themselves having to provide evidence to foreign governments (especially the USA) that they respect the sanctions imposed by those countries. Failure to do so may in certain circumstances result in a curtailment of their activities in the country in question. One Swiss credit institution, which acted as a transfer bank for international payments, considered voluntarily handing over the transfer data to the US authorities. After examining the case as well as the legal situation, we reached the conclusion that to prove that the bank had respected US laws, a voluntary disclosure of the transfer data could only be authorised if it was anonymized.